Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
866
Views
0
Helpful
4
Replies

Installing aip ssc-5 in a failover pair

Go to solution
3moloz123
Level 1
Level 1

ā€Ž10-18-2013 02:16 AM - edited ā€Ž03-11-2019 07:53 PM

Hi,

I have a pair of aip ssc-5's that needs to be installed in a pair of failover pair of 5505's. I wonder what the right process is, minimizing downtime. Will there be problems if I take the passive node down, install the aip ssc-5 and boot it up, because they are not identical hardware wise?

I also wonder if the configuration of the modules will be replicated, or if it will have to be manually configured identical.

Thanks in advance for any insight

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
amitaaga
Cisco Employee
Cisco Employee

ā€Ž10-18-2013 08:11 AM

Will there be problems if I take the passive node down, install the aip  ssc-5 and boot it up, because they are not identical hardware wise?

Yes, this understanding is correct.

We need to arrange some downtime to be able to carry out this activity. Steps that can be followed are as follows:

1] Shut down the standby unit. Insert the module inside it & let it be down.

2] Shut down the active unit. Insert the module inside it and power it back on. (the time it will take to carry out this task will be the net downtime)

3] Once the active unit comes back on. Power on the standby unit.

4] Configure policy to redirect traffic to the aip module on the active unit. This policy will get replicated over to the standby as well.

5] Configure IPS modules separately on both ASA's as config on the modules wont get replicated.

Hope it helps.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

ā€Ž10-18-2013 07:56 AM

I think the failover pair will not reestablish correctly when you install the SSC-5 in the standby unit as the hardware will no  longer be identical. (Though I've never tried it with AIP modules per se.)

Re configuration, only the firewall service policy rules directing traffic to the module is replicated. Any configuration of the IPS itself must be done separately on each module.

0 Helpful

Go to solution
amitaaga
Cisco Employee
Cisco Employee

ā€Ž10-18-2013 08:11 AM

Will there be problems if I take the passive node down, install the aip  ssc-5 and boot it up, because they are not identical hardware wise?

Yes, this understanding is correct.

We need to arrange some downtime to be able to carry out this activity. Steps that can be followed are as follows:

1] Shut down the standby unit. Insert the module inside it & let it be down.

2] Shut down the active unit. Insert the module inside it and power it back on. (the time it will take to carry out this task will be the net downtime)

3] Once the active unit comes back on. Power on the standby unit.

4] Configure policy to redirect traffic to the aip module on the active unit. This policy will get replicated over to the standby as well.

5] Configure IPS modules separately on both ASA's as config on the modules wont get replicated.

Hope it helps.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to amitaaga

ā€Ž10-18-2013 08:57 AM

Amitaaga,

That matches my understanding exactly.

Endorsed.

0 Helpful

Go to solution
amitaaga
Cisco Employee
Cisco Employee
In response to Marvin Rhoads

ā€Ž10-19-2013 10:25 AM

Thanks Marvin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card